LockBit ransom gang behind mass exploitation of Citrix bug, researchers say

Security researchers are blaming a now-patched Citrix zero-day vulnerability for a recent spate of November ransomware attacks, said to be carried out by the notorious LockBit gang – and warn that more are coming.

Dubbed the “CitrixBleed,” security researchers have said that a mass execution campaign on the zero-day took place between July 20th and 21st, just days after the bug was disclosed by the cloud computing company.

Now, some industry insiders say that the LockBit ransomware gang is most likely the threat actors behind the large scale attack.

Big names thought to be victims of the mass exploit include global aerospace leader The Boeing Company, China’s ICBC Financial Services, Australian port operator DP World, and the London-based international law firm Allen & Overy.

Cybersecurity researcher Kevin Beaumont was the first to connect the dots, writing about the attacks in a blog post nearly two weeks ago, but is just getting traction now.

“I wrote about how LockBit ransomware group have assembled a Strike Team and are using a Citrix vulnerability to extort the world’s largest companies," Beaumont posted on X Tuesday.

“Pieces together what happened at ICBC, Boeing, DP World, Allen & Overy and more,” the researcher said.

July through August rewind

The Citrix bug – CVE-2023-3519 – and two other less critical bugs, were first disclosed by the company on July 18th.

A warning advisory from the US Cybersecurity Infrastructure and Security Administration (CISA), who said they were monitoring the vulnerability, was also released at the time.

The vulnerability itself allowed threat actors to exploit an unauthenticated remote code execution (RCE) affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway, CISA warned at the time.

NetScaler is a software-based application delivery controller (ADC) solution normally installed in data centers to manage incoming traffic flow. The ADC works as a sort of traffic cop between users and servers that run websites.

Paul Brucciani, Cyber Security Advisor at WithSecure, described the NetScaler ADC like "a baton-waving traffic conductor for your online applications."

“It helps manage all the incoming user traffic, making sure it gets to the right application quickly and safely," Brucciani said.

"NetScaler Gateway is like a nightclub bouncer that controls the single point of entry to your work applications," he added.

By August, it was clear that malicious actors took advantage of the zero day and created backdoors to thousands of servers by placing webshells on vulnerable NetScalers to gain access.

Citrix lockbit Fox-IT backdoor research
Amount of Compromised NetScalers per country as of August 14th 2023. Image by Fox-IT.

October's so-called fix

Citrix had released a critical fix for the bug in October, but it was soon discovered that even after the fix, the backdoors remained operable, and compromised systems were still vulnerable to arbitrary commands executed by malicious actors.

"When it was published on 10th October along with a patch to remove the vulnerability, it was rated as a critical vulnerability, scoring 9.4 out of 10," said Brucciani.

"The vulnerability provides access to remote desktop applications and data protected behind organizations' firewalls without generating any alerts or logs. That's already serious," he explained.

"It has been estimated that 75 percent of all Internet traffic passes through Citrix NetScaler ADC every day, which means that any vulnerability found within these appliances would put immense power into the hands of the attacker," he said.

An August 15th joint research report by NCC Group’s Fox-IT and the Dutch Institute of Vulnerability Disclosure (DIVD) found more than 1900 NetScalers remain backdoored, including the roughly 1200 already patched.

At the time of the discovery over 31,000 NetScalers were discovered to be vulnerable with at least 6.3% of those servers being backdoored, the Fox-IT and DIVD research showed.

But Brucciani also points out that In 2022 alone, 25,000 new vulnerabilities were published, making the Citrix bug just another flaw.

“Only 2% of vulnerabilities are exploited for malicious purposes and not even banks have the resources to patch every vulnerability immediately," he said.

“Even if you make the right call, patching isn't easy, especially for large organizations like ICBC operating complex IT systems that, assuming every vulnerable asset has been identified, cannot easily be taken offline for patching," Brucciani added.

Back to the present threat

Meanwhile Beaumont, sharing a clip of his writing, put the numbers of systems left unpatched closer to 5,000.

Beaumont mentions those vulnerable systems include "over 100 financial services firms, governments (including central), councils, lawyers etc." in another X post on Tuesday.

He also believes “two other ransomware groups are on the Citrix train,” but provided no names.

It's not so unbelievable that two other ransomware groups are in the mix as LockBit mainly operates as a Ransomware-as-a-Service (RaaS) model.

This is where affiliates are recruited to conduct attacks using LockBit tools and infrastructure, according to CISA.

The gang has been around since 2019, and is considered one of the most active ransomware groups since 2022.

The LockBit ransomware variant, now in its third iteration, is considered the most deployed ransomware variant across the world.

November victim train

The four companies singled out by Beaumont have all experienced massive hacks in the past few weeks, most claimed by the Russian-linked LockBit group and some with data already leaked on the dark web.

Boeing was first listed as a LockBit victim on October 27th.

In a cat-and-mouse game of purported negotiations – with Boeing’s name posted on and then taken off the LockBit site multiple times – the gang eventually decided to leak 50GB of data allegedly stolen from the aerospace and commercial jetliner manufacturer on November 10th.

Next, the New York arm of China's biggest lender, the state owned the Industrial and Commercial Bank of China, known as ICBC, was hit by a ransomware attack on November 9th.

The attack sent shockwaves throughout the global financial system, disrupting the US Treasury market, leading to speculation that ICBC would pay LockBit an undisclosed ransom amount.

Tuesday, LockBit apparently told Reuters news agency that ICBC did pay the ransom demand, and that the case was “closed.”

Furthermore, DP World Australia, one of the nation’s largest ports operators, was crippled by a cybersecurity incident halting operations for three days over the weekend.

An arm of the Dubai-based DP World, the cargo logistics company manages about 40% of the goods that flow in and out of Australia. It announced all facilities were fully operational on Tuesday.

Last, Allen & Overy (A&O) confirmed a cyber incident had impacted its servers on November 8th.

A&O told Cybernews it was still assessing what data has been impacted while the company informs clients.

LockBit has given the global law firm until November 28th to pay up before it threatens to publish the alleged stolen data.

Back in December 2022, in a similar scenario, Fox-IT researchers also found thousands of Citrix ADC's and gateway servers still exposed after patching two critical vulnerabilities.

The two flaws, an authentication bypass flaw and remote code execution vulnerability were found to be exploited in the wild by the China-linked Advanced persistent threat (APT) group Manganese (APT5).

More from Cybernews:

Meta, Alphabet, ByteDance must face social media addiction lawsuits

Electric air taxi 'quietly' completes first test run in NYC

EP committee rejects “mass surveillance” proposal, similar to UK’s Online Safety Bill

YouTube cracking down on AI clones of artists, content creators

Gamblers’ data compromised after casino giant fails to set password

Subscribe to our newsletter